Last month, Kaspersky Lab researchers investigated a global forum where cybercriminals can buy and sell access to compromised servers for as little as $6 each. The xDedic marketplace, which appeared to be run by a Russian-speaking group, listed, in May, 70,624 hacked Remote Desktop Protocol (RDP) servers for sale.
Many of the servers host or provide access to popular consumer websites and services and some have software installed for direct mail, financial accounting and Point-of-Sale (PoS) processing.
The servers’ legitimate owners, reputable organisations including government networks, corporations and universities, are often unaware that their IT infrastructure has been compromised. Furthermore, once a campaign has been completed, the attackers can put access to the server back up for sale and the whole process can begin again.
Aleks Gostev, Chief Security Expert, Global Research and Analysis Team, Kaspersky Lab told Networks Asia that it normally takes enterprises 9 months to discover that they have suffered an IT breach.
“Based on Kaspersky Lab's experience, if the attacker was not stopped at the first stage of attack, they spend about 1-2 months exploring the network, mapping and preparing for the next step during the next stage where reconnaissance occurs. Hence, it is done silently. Only after this will the attacker begin to deploy additional tools, infecting new victims inside the network and exfiltrate information. It is at this stage where the attacker makes the most mistakes and leaves behind different artefacts, leading to its discovery by permanent security checks.”
xDedic is a powerful example of a new kind of cybercriminal marketplace: well-organised and supported and offering everyone from entry-level cybercriminals to APT groups fast, cheap and easy access to legitimate organisational infrastructure that keeps their crimes below the radar for as long as possible.
The process is simple and thorough: hackers break into servers, often through brute-force attacks and bring the credentials to xDedic. The hacked servers are then checked for their RDP configuration, memory, software, browsing history and more – all features that customers can search through before buying.
Risk mitigation or traditional perimeter defense?
With the rise of breaches, should enterprises then strive for risk mitigation rather than the traditional perimeter defense or defense in depth? According to Gostev. while risk mitigation is standard de-facto practice, companies cannot be protected just with firewalls or antivirus solutions and they should understand the potential risks and the necessary steps to take if such incidents occur.
Given the number of systems that are potential entry points for attackers, such as building controls, traditional ways of detecting intrusions do not work anymore. Gostev said companies should collect as much data as possible, with knowledgeable experts to understand what is going on in case of a network anomaly.
Gostev added that companies should collect data not only from their own network but also to have a permanent information flow on current threats from security vendors and to always deploy protection measures proactively.
The rise of mobility has also blurred the traditional perimeter to the device. “Protecting data is at the “information level” stage, where we are currently at. Looking towards the application and network stages is where the future lies,” added Gostev.
“Companies should always be prepared and have a plan on minimising potential damage,” said Gostev, noting that employees are always and will remain the weakest link.
Gostev also noted that companies should inform authorities and customers immediately after the discovery of a breach. “Unfortunately, it is impossible to understand what was stolen at the beginning of the investigation. But in general, the best solution is to report the breach as soon as possible, especially if it may lead to possible legal consequences,” he added.
In some cases, customers may open a legal case against the breached company. “Not informing customers on data loss or leakage would work against the company, harming their reputation.”